2012 Storage Developer Conference. © EMC. All Rights Reserved.

Identity Mapping in the OneFS Clustered File System

Steven Danneman EMC, Isilon Storage Division

September 20, 2012

2012 Storage Developer Conference. © EMC. All Rights Reserved.

The Big Picture

2

Authentication

Token Creation

Access Token

Owner: S-1-5-21-1-2-3-100 Primary Group: S-1-5-21-1-2-3-101 Groups: S-1-5-21-1-2-3-200 …

ucred

UID: 100 GID: 100 Groups: 200 250 …

2

Authorization

Access Control

DACL Owner: S-1-5-21-1-2-3-100 Group: S-1-5-21-1-2-3-101 ACEs: S-1-5-21-1-2-3-100 allow FULL CONTROL S-1-5-21-1-2-3-101 allow READ

Mode Bits

UID: 100 GID: 100 Owner: rwx Group: rwx Other: r--

Access Check

Windows

Unix

2012 Storage Developer Conference. © EMC. All Rights Reserved.

The Big Picture

3

Authentication

Token Creation

Access Token

Owner: S-1-5-21-1-2-3-100 Primary Group: S-1-5-21-1-2-3-101 Groups: S-1-5-21-1-2-3-200 …

ucred

UID: 100 GID: 100 Groups: 200 250 …

3

Authorization

Access Control

DACL Owner: S-1-5-21-1-2-3-100 Group: S-1-5-21-1-2-3-101 ACEs: S-1-5-21-1-2-3-100 allow FULL CONTROL S-1-5-21-1-2-3-101 allow READ

Mode Bits

UID: 100 GID: 100 Owner: rwx Group: rwx Other: r--

Identity Mapping

2012 Storage Developer Conference. © EMC. All Rights Reserved.

OneFS File System

4

Clustered NAS file server Single volume Concurrent access to all

files with all protocols SMB/SMB2/SMB2.1 NFSv3/NFSv4 HTTP/FTP SSH

Expose NTFS & POSIX file system semantics

2012 Storage Developer Conference. © EMC. All Rights Reserved.

OneFS File System

5

Client

Client

/

bin/ dev/ etc/ usr/ var/

NTFS

POSIX

2012 Storage Developer Conference. © EMC. All Rights Reserved.

Identities

Protocol

ID

ID Space

Separate U/G Space

Example

SMB SID Sub-authorities RID: 2^32

No S-1-5-1-2-3-100

NFSv3 UID 2^32 Yes 1001

GID 2^32 Yes 1001

NFSv4 Principal string Yes user@domain.com

HTTP/FTP Name string N/A user

2012 Storage Developer Conference. © EMC. All Rights Reserved.

Identity Sources

7

SAM - Windows /etc/passwd - Unix

AD LDAP NIS

Local

AD + RFC230

7

• SIDs • UIDs • GIDs

2012 Storage Developer Conference. © EMC. All Rights Reserved.

Environments - Simple

Active Directory Only Store SIDs on disk Use ACLs

Unix (LDAP/NIS) Only Store UID/GIDs on disk Use Mode Bits

Local Only Assign SID and UID/GID

to all users and groups

8

AD

LDAP NIS

Local

/

2012 Storage Developer Conference. © EMC. All Rights Reserved.

Environments - Simple

Active Directory Only Store SIDs on disk Use ACLs

Unix (LDAP/NIS) Only Store UID/GIDs on disk Use Mode Bits

Local Only Assign SID and UID/GID

to all users and groups

9

AD

LDAP NIS

Local

/ 0.00%

2012 Storage Developer Conference. © EMC. All Rights Reserved.

Environments - Difficult

Active Directory + LDAP Store ??? on disk Use ??? for access control

Active Directory + NIS Store ??? on disk Use ??? for access control

Active Directory + RFC2307 Store ??? on disk Use ??? for access control

10

AD

NIS

+ LDAP

+ AD

AD + RFC230

7

2012 Storage Developer Conference. © EMC. All Rights Reserved.

ID Mapping Goals

1) Equate all Windows IDs to Unix IDs 2) Do most work during authentication Authentication happens once Authorization happens many times

3) Enforce same Access Check from all protocols 4) Store most authoritative ID on-disk 5) Never store names

11

2012 Storage Developer Conference. © EMC. All Rights Reserved.

Types of Mappings

External: derived from ID sources outside of OneFS AD + RFC2307 LDAP / NIS

Username match between providers

Algorithmic: created by adding a UID or GID to a well-known base SID. UNIX_USER Domain – S-1-5-21-<UID> UNIX_GROUP Domain – S-1-5-22-<GID>

Manual: set explicitly by an administrator Automatic: generated from a fixed range of UID/GIDs

1,000,000 to 2,000,000

12

2012 Storage Developer Conference. © EMC. All Rights Reserved.

Types of Mappings

Type Description Store in DB

Use On-Disk

External

– LDAP / NIS Normalized username lookup match. Yes Yes

– AD + RFC2307 Retrieve from AD via LDAP. No Yes

Algorithmic No No

Manual Set explicitly by admin. Yes Yes

Automatic Generate if nothing better is found. Yes No

13

AUTHORI

TATIVE

2012 Storage Developer Conference. © EMC. All Rights Reserved.

ID Mapper Database

1-to-1mapping One way mappings Use 2 for symmetry

SID -> UID UID -> SID

Also store mapping flags Type: external, automatic, manual Preferred for on-disk use

Distributed key-value pair hash table Caching layer on top

14

2012 Storage Developer Conference. © EMC. All Rights Reserved.

OneFS Native Token

15

Access Token Owner: S-1-5-21-1-2-3-100 Primary Group: S-1-5-21-1-2-3-101 Groups: S-1-5-21-1-2-3-200 …

ucred

UID: 100 GID: 100 Groups: 200 250 …

OneFS Native Token

UID: 100 SID Owner: S-1-5-21-1-2-3-100 On-Disk Owner: UID GID: 100 SID Primary Group: S-1-5-21-1-2-3-101 On-Disk Group: SID GID Groups: 200 250 … SID Groups: S-1-5-21-1-2-3-200 S-1-5-21-1-2-3-211 …

2012 Storage Developer Conference. © EMC. All Rights Reserved.

Native Token Creation

16

Get Initial Credential

ID Mapper

User Mapper

Calculate On-Disk ID

2012 Storage Developer Conference. © EMC. All Rights Reserved.

Native Token Creation

17

Get Initial Credential

Username

Local

LDAP NIS /

Access Token Owner: S-1-5-21-1-2-3-100 Primary Group: S-1-5-21-1-2-3-101 Groups: S-1-5-21-1-2-3-200 …

ucred UID: 100 GID: 100 Groups: 200 250 …

Native Token UID: 100 SID Owner: S-1-5-21-1-2-3-100 GID: 100 SID Primary Group: S-1-5-21-1-2-3-101

PAC Privilege Attribute

Certificate

UID/GID

ID Mapper

User Mapper

Calculate On-Disk ID

Client Provides:

2012 Storage Developer Conference. © EMC. All Rights Reserved.

Native Token Creation

18

ID Mapper

Get Initial Credential

User Mapper

Calculate On-Disk ID

ID Map DB

OneFS Native Token

UID: 100 SID Owner: S-1-5-21-1-2-3-100 GID: 100 SID Primary Group: S-1-5-21-1-2-3-101 SID Groups: S-1-5-21-1-2-3-200 …

Access Token Owner: S-1-5-21-1-2-3-100 Primary Group: S-1-5-21-1-2-3-101 Groups: S-1-5-21-1-2-3-200 …

2012 Storage Developer Conference. © EMC. All Rights Reserved.

OneFS Native Token

User Mapper

19

User Mapper

Get Initial Credential

ID Mapper

Calculate On-Disk ID

UID: 100 SID Owner: S-1-5-21-1-2-3-100 GID: 100 SID Primary Group: S-1-5-21-1-2-3-101 GID Groups: 200 250 … SID Groups: S-1-5-21-1-2-3-200 …

Native Token UID: 100 SID Owner: S-1-5-21-1-2-3-100 GID: 100 SID Primary Group: S-1-5-21-1-2-3-101

Local

LDAP NIS /

ucred Groups: 200 250 …

+

AD

2012 Storage Developer Conference. © EMC. All Rights Reserved.

Calculate On-Disk ID

20

Calculate On-Disk

ID

Get Initial Credential

ID Mapper

User Mapper

ID Map DB

OneFS Native Token

UID: 100 SID Owner: S-1-5-21-1-2-3-100 On-Disk Owner: UID GID: 100 SID Primary Group: S-1-5-21-1-2-3-101 On-Disk Group: SID GID Groups: 200 250 … SID Groups: S-1-5-21-1-2-3-200 …

algorithmic

Local

LDAP NIS /

AD

automatic

2012 Storage Developer Conference. © EMC. All Rights Reserved.

On-Disk ID

Given input ID determine if it, or the 1-to-1 ID it maps to should be written to disk.

Used in: File owner File group Trustee in file ACLs

Cluster-wide configuration Native: determine most authoritative ID Unix: only store UID/GID SID: only store SID

21

2012 Storage Developer Conference. © EMC. All Rights Reserved.

On-Disk ID - Native

Prefer Unix IDs for on-disk over SIDs Helps NFSv3 performance

But do not store automatic Unix IDs on-disk

22

2012 Storage Developer Conference. © EMC. All Rights Reserved.

On-Disk ID - Native

23

If SID is algorithmic: Use UID/GID Else If external Unix ID exists: Use UID/GID Else If mapping in DB:

If mapping target has on-disk flag: Use that ID Else: Use incoming ID

If automatic Unix ID: Use SID Else: Use ID

S-1-5-21-101 -> 101

S-1-5-1-2-3-100 -> 568, external

S-1-5-4-5-6-348 -> 200, on-disk

S-1-5-4-5-6-348 -> 200

1,000,001 -> S-1-5-6-7-8-832

1054 -> S-1-5-6-7-8-423

Source -> Target, Flags

BOLD = on-disk

2012 Storage Developer Conference. © EMC. All Rights Reserved.

Corner Cases

Storing GROUP(SID or GID) as file OWNER Create well-known UIDs

everyone owner_group null

LDAP/AD server hiccups Disable automatic mapping Don’t want automatic ID as authoritative in ID map

Unmappable SIDs Local machine SIDs from clients Untrusted AD domains

24

2012 Storage Developer Conference. © EMC. All Rights Reserved.

Corner Cases

SamrLookupNames() Only returns a single domain SID But we have Local & UNIX_USERS/GROUPS Reserve 32nd bit of RID space to convert UNIX to

Local Historical SIDs

Add to token at authentication time But can’t represent in 1-to-1 ID map We don’t handle these

25

2012 Storage Developer Conference. © EMC. All Rights Reserved.

Lessons Learned

Windows & Unix security models are not that different Nobody wants the simple case Identity Mapping requires flexibility Making this flexibility simple is the challenge Encourage AD + RFC2307 usage

26

2012 Storage Developer Conference. © EMC. All Rights Reserved.

References

OneFS 7.0 Administration Guide Available to Isilon customers

EMC Isilon Multiprotocol Data Access with a Unified Security

Model for SMB and NFS http://www.emc.com/collateral/software/white-papers/h10920-wp-onefs-multiprotocol.pdf

Google “multiprotocol data access”

Permissions Mapping in the Isilon OneFS File System Presented at SDC 2009 Available at http://www.danneman.org

27

Contact: steven.danneman@isilon.com